Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
create_share
New Contributor II

Created on ‎11-29-2024 06:16 PM

Multiple Paths to the Same Destination

Hi,

 

We have an IPSec Tunnel between office1 and office2 to connect two Servers. We need office1 users to connect to the server in office2 using another interface instead of the IPSec Tunnel and let only the servers communicate over IPSec. How can we achieve this, if it is possible?

 

BR.

347
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-29-2024 07:41 PM Edited on ‎11-29-2024 07:45 PM

If you don't have to let all users/machines (including "office1 users") to use the IPsec when the "another interface (MPLS or point-to-point circuit?) " goes down, that's probably the easiest way to do it.
Remember, a policy route "sticks" even when the interface goes down. So if that happens, those "office1 users" can't get to office2 over the IPsec.

If you want to control those situations more flexibly, including based on sources and destinations, you have to set up a SD-WAN zone and put both the IPsec and another interface as members and set proper rules who uses which path in what situations more in detail.

 

Routing protocols would work for selecting the destinations only. So if you need to control the paths based on the source users/groups, they wouldn't work.

Toshi 

View solution in original post

322
2 REPLIES 2
create_share
New Contributor II

Created on ‎11-29-2024 07:23 PM

After creating a policy route, it is working. Is this the correct way to do it?

328
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-29-2024 07:41 PM Edited on ‎11-29-2024 07:45 PM

If you don't have to let all users/machines (including "office1 users") to use the IPsec when the "another interface (MPLS or point-to-point circuit?) " goes down, that's probably the easiest way to do it.
Remember, a policy route "sticks" even when the interface goes down. So if that happens, those "office1 users" can't get to office2 over the IPsec.

If you want to control those situations more flexibly, including based on sources and destinations, you have to set up a SD-WAN zone and put both the IPsec and another interface as members and set proper rules who uses which path in what situations more in detail.

 

Routing protocols would work for selecting the destinations only. So if you need to control the paths based on the source users/groups, they wouldn't work.

Toshi 

323
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.